2

I'm currently writing a Spring MVC application, secured by Spring Security. For the login a basic form authentication is used and since I didn't added further configuration the credentials are POSTed to http://www.localhost:8080/myWebApp/j_spring_security_check.

So far so good, but now I've introduced a second servlet (CometD), which shall not be affected by Spring nor Spring Security. For this, I tried to change the servlet-mappings to map Spring and Spring Security against /app, respectively /app/*, and the other Servlet against cometd/*. My web.xml looks as follows:

<!-- Spring security -->
<listener>
    <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/app/*</url-pattern>
</filter-mapping>

<!-- Spring MVC -->
<servlet>
    <servlet-name>appServlet</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>appServlet</servlet-name>
    <url-pattern>/app</url-pattern>
</servlet-mapping>

<!-- CometD -->
<servlet>
    <servlet-name>cometd</servlet-name>
    <servlet-class>org.cometd.server.CometdServlet</servlet-class>
</servlet>
<servlet-mapping>
    <servlet-name>cometd</servlet-name>
    <url-pattern>/cometd/*</url-pattern>
</servlet-mapping>

The problem with this is that after this changes I'm be able to login any more. The server is not able to find any request mapping and the client tells me NetworkError: 404 Not Found - http://localhost:8080/myWebApp/app/j_spring_security_check.

What's wrong with this mappings? How can I configure Spring and Spring Security to only handle requests for specific mappings and not for / and /* as described in the documentation?

Thanks a lot in advance!

Best, René

rene
  • 1,618
  • 21
  • 26
  • Is there a typo in the mapping for the `springSecurityFilterChain` ? Should not be `/app/*` and not `/app*` (missing slash) ? – sbordet Jan 09 '13 at 14:28
  • @sbordet: Hi Simone! Oh yes you are right. I tested different variants. Unfortunately, I makes no difference. Still the `j_spring_security_check` cannot be found. I've edited the listing above to fix this issue – rene Jan 09 '13 at 15:25

1 Answers1

1

Leave your springSecurityFilterChain mapped to /. Change your security config:

<http use-expressions="true">
    <intercept-url pattern="/cometd/**" access="permitAll" />
    <intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
</http>
Maksym Demidas
  • 7,707
  • 1
  • 29
  • 36
  • Thanks for the prompt response. But the reason I try to differentiate the both servlets is that Spring 3.1.x (which I'm using) has problems with the async support needed by the Cometd library. http://stackoverflow.com/a/8655113/1770617 indicates that the support is only planned for the 3.2.x release. So, unfortunately this does not solve my problem. – rene Jan 09 '13 at 14:21
  • May be it will be better to go with Spring 3.2? Async support is implemented and it's GA http://blog.springsource.org/2012/12/13/spring-framework-3-2-goes-ga/ – Maksym Demidas Jan 09 '13 at 14:44
  • Yes maybe. However, I hesitate because Spring 3.2 is not a stable release yet and I'd prefer to wait until it is. I thought I could change the mappings to avoid the problem. – rene Jan 09 '13 at 14:52
  • Ok. Try /app/* for appServlet and for springSecurityFilterChain – Maksym Demidas Jan 09 '13 at 15:11
  • Thanks. This was a typo as @sbordet also indicated. I've fixed this issue in the listing. Unfortunately, the problem remains the same. – rene Jan 09 '13 at 15:28